UPDATE: Universal Plug and Play issues

[effex]

Are you using a static port on your outbound NAT rule? Port randomisation seems to break various games. I also find denying port 3074 using UPNP ACLs will force some XBL games to retry on other ports and has fixed a few problems.

I'm looking at my firewall now and can see about 25 different NAT rules generated by UPNP currently so it appears to be working.

FWIW we run gaming events with around 1,000 - 1,200 devices and UPNP worked well for us the past two events we ran.

Hi Tawmu, your fixes to UPnP were working fine up until 3/21/2023.

Bungie has changed something in the game that I believe requires IGDv1 for UPnP to work properly.

Some individuals on reddit are saying their DumaOS based routers are still getting port maps set up properly.

I don't see how I could compile a miniupnpd that would support IGDv1, I'd need development support as I'm not deep on this code base.

I've confirmed it also doesn't work on an OpenWRT based ER605 Omada router.

[effex]

I solved it by using a rule like this...



Gianluca

Hi Gianluca,

Static port mapping will work fine for a single console and give you moderate NAT. It won't help you when you have multiple.

[effex]

Are you using a static port on your outbound NAT rule? Port randomisation seems to break various games. I also find denying port 3074 using UPNP ACLs will force some XBL games to retry on other ports and has fixed a few problems.

I'm looking at my firewall now and can see about 25 different NAT rules generated by UPNP currently so it appears to be working.

FWIW we run gaming events with around 1,000 - 1,200 devices and UPNP worked well for us the past two events we ran.

I believe this is specific to Destiny 2 and it being extremely picky with UPnP. This post talks about the configuration changes needed for UPnP on OpenWRT:

On the main configuration page, the importation options are below:
Start UPnP and NAT-PMP service = enabled
Enable UPnP functionality = enabled
Enable NAT-PMP functionality = enabled
Enable IGDv1 mode = enabled (The important option, Destiny 2 does not like IGDv2)
Port = 0 (Allows automatic port selection)

[guest28834]

I can see miniupnpd has a runtime option to report as an IGDv1 device even when running in IGDv2 mode so perhaps this is the easiest option to add into opnsense, assuming it works reliably for Windows devices. Someone on the OpenWRT forums suggests that runtime option isn't enough but it looks as if there's a workaround for Windows clients already in miniupnpd: https://github.com/miniupnp/miniupnp/commit/2f2685af97c28ee3559af8d0a0cdf5d8b215a68f

The thing is when I tested Windows clients before submitting miniupnpd changes a couple of months ago I definitely saw it creating UPNP entries (because I know for a fact Windows Firewall stops Windows talking to a UPNP server in a different subnet when we forward broadcasts across VLANs). I guess this suggests some games just have rubbish UPNP implementations.

@effex i'm away from a firewall at the moment so I cannot check but I believe there was also a bug in miniupnpd versions prior to 2.3 that meant the v1 reporting to MS clients was broken. Can you check what version of the miniupnpd package your firewall is running? If it's <2.3 then try installing the miniupnpd-devel package in opnsense and test again.